Total CVEs
5632
last 30 days
Avg Priority
35.3
of max 220
KEV
8
actively exploited
POC
756
public exploits
Unpatched
1089
CRIT/HIGH without patch
How is Priority Score calculated?
Priority Score is a composite risk metric (0-220) combining multiple real-world threat signals:
KEV +50
CISA Known Exploited Vulnerability — confirmed active exploitation in the wild
EPSS x100
Exploit Prediction Scoring System — probability of exploitation in next 30 days (0-100)
CVSS x5
Common Vulnerability Scoring System — technical severity (0-50)
POC +20
Public exploit code exists — lowers barrier for attackers
0-40 Low
40-80 Medium
80-120 High
120+ Critical
Patch Now — Known Exploited Vulnerabilities
124
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an
119
CVE-2026-5281
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had co
118
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Control
117
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publi
117
CVE-2026-3055
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP l
114
CVE-2026-34197
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability i
109
CVE-2026-3502
TrueConf Client downloads application update code and applies it without performing verification. An
109
CVE-2026-32201
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform
Priority Distribution
| Priority | CVE |
|---|---|
| 35 |
CVE-2026-39935
Improper neutralization of input during web page generation ('cross-site scripti
|
| 35 |
CVE-2026-39936
Improper neutralization of input during web page generation ('cross-site scripti
|
| 35 |
CVE-2026-28767
A specific administrative endpoint notifications is accessible without proper au
|
| 35 |
CVE-2026-34606
Frappe Learning Management System (LMS) is a learning system that helps users st
|
| 35 |
CVE-2026-30879
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-39422
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 35 |
CVE-2026-39423
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below co
|
| 35 |
CVE-2026-39963
### Summary
The `serendipity_setCookie()` function uses `$_SERVER['HTTP_HOST']`
|
| 35 |
CVE-2026-33993
## Summary
The `unserialize()` function in `locutus/php/var/unserialize` assign
|
| 35 |
CVE-2026-34510
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows med
|
| 35 |
CVE-2026-39892
If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g
|
| 35 |
CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb
|
| 35 |
CVE-2026-39934
Loop with unreachable exit condition ('infinite loop') vulnerability in The Wiki
|
| 35 |
CVE-2026-35637
OpenClaw before 2026.3.22 performs cite expansion before completing channel and
|
| 35 |
CVE-2026-34404
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6
|
| 35 |
CVE-2026-34211
## Summary
The `@nyariv/sandboxjs` parser contains unbounded recursion in the `
|
| 35 |
CVE-2026-5503
In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally
|
| 35 |
CVE-2026-33977
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to versio
|
| 35 |
CVE-2026-2404
CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could
|
| 35 |
CVE-2026-1556
Information disclosure in the file URI processing of File (Field) Paths in Drupa
|
| 35 |
CVE-2026-39351
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0,
|
| 35 |
CVE-2026-32924
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where F
|
| 35 |
CVE-2026-34722
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0
|
| 35 |
CVE-2026-1612
AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that a
|
| 35 |
CVE-2026-4262
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker t
|
| 35 |
CVE-2025-20628
An insufficient granularity of access control vulnerability exists in PingIDM (f
|
| 35 |
CVE-2026-4263
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker t
|
| 35 |
CVE-2026-5131
GREENmod uses named pipes for communication between plugins, the web portal, and
|
| 35 |
CVE-2026-32853
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap
|
| 35 |
CVE-2026-22815
### Summary
Insufficient restrictions in header/trailer handling could cause un
|
| 35 |
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in inte
|
| 35 |
CVE-2026-4901
Hydrosystem Control System saves sensitive information into a log file. Critical
|
| 35 |
CVE-2026-35661
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Tele
|
| 35 |
CVE-2026-34426
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerabili
|
| 35 |
CVE-2026-35665
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where th
|
| 35 |
CVE-2026-34443
FreeScout is a free help desk and shared inbox built with PHP's Laravel framewor
|
| 35 |
CVE-2026-32326
SHARP routers do not perform authentication for some web APIs. The device inform
|
| 35 |
CVE-2026-5346
A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is
|
| 35 |
CVE-2026-6105
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7
|
| 35 |
CVE-2026-40104
### Impact
REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCod
|
| 35 |
CVE-2026-5536
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the fu
|
| 35 |
CVE-2026-35655
OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP per
|
| 35 |
CVE-2026-34504
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability i
|
| 35 |
CVE-2026-34235
PJSIP is a free and open source multimedia communication library written in C. P
|
| 35 |
CVE-2026-4990
A security vulnerability has been detected in chatwoot up to 4.11.1. The affecte
|
| 35 |
CVE-2026-33700
Vikunja is an open-source self-hosted task management platform. Prior to version
|
| 35 |
CVE-2026-33576
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels
|
| 35 |
CVE-2026-35383
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source o
|
| 35 |
CVE-2026-5736
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unk
|
| 35 |
CVE-2026-5334
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Imp
|
| 35 |
CVE-2026-5237
A security flaw has been discovered in itsourcecode Payroll Management System 1.
|
| 35 |
CVE-2026-4955
A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44.
|
| 35 |
CVE-2026-5150
A security vulnerability has been detected in code-projects Accounting System 1.
|
| 35 |
CVE-2026-5824
A security vulnerability has been detected in code-projects Simple Laundry Syste
|
| 35 |
CVE-2026-5195
A flaw has been found in code-projects Student Membership System 1.0. This issue
|
| 35 |
CVE-2026-5813
A weakness has been identified in PHPGurukul Online Course Registration 3.1. Thi
|
| 35 |
CVE-2026-5648
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5238
A weakness has been identified in itsourcecode Payroll Management System 1.0. Af
|
| 35 |
CVE-2026-5256
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerabi
|
| 35 |
CVE-2026-5257
A vulnerability has been found in code-projects Simple Laundry System 1.0. This
|
| 35 |
CVE-2026-33088
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability
|
| 35 |
CVE-2026-27697
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS ha
|
| 35 |
CVE-2026-33773
An Incorrect Initialization of Resource vulnerability in the packet forwarding e
|
| 35 |
CVE-2026-32662
Development and test API endpoints are present that mirror production functional
|
| 35 |
CVE-2026-5575
A vulnerability was detected in SourceCodester/jkev Record Management System 1.0
|
| 35 |
CVE-2026-33774
An Improper Check for Unusual or Exceptional Conditions vulnerability in the pac
|
| 35 |
CVE-2026-21630
Improperly built order clauses lead to a SQL injection vulnerability in the arti
|
| 35 |
CVE-2026-4956
A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.
|
| 35 |
CVE-2026-35654
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Micr
|
| 35 |
CVE-2026-35647
OpenClaw before 2026.3.25 contains an access control vulnerability where verific
|
| 35 |
CVE-2026-2399
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traver
|
| 35 |
CVE-2026-0827
During an internal security assessment, a potential vulnerability was discovered
|
| 35 |
CVE-2026-21013
Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allow
|
| 35 |
CVE-2026-34941
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0
|
| 35 |
CVE-2026-0209
Under certain administrative conditions, FlashArray Purity may apply snapshot re
|
| 35 |
CVE-2025-71280
XenForo before 2.3.7 allows information disclosure via local account page cachin
|
| 35 |
CVE-2026-35667
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where th
|
| 35 |
CVE-2026-32919
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowin
|
| 35 |
CVE-2026-40446
Access of resource using incompatible type ('type confusion') vulnerability in S
|
| 35 |
CVE-2026-34400
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API
|
| 35 |
CVE-2025-68152
Juju is an open source application orchestration engine that enables any applica
|
| 35 |
CVE-2026-28553
Vulnerability of improper permission control in the theme setting module.
Impact
|
| 35 |
CVE-2026-41253
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS
|
| 34 |
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an
|
| 34 |
CVE-2026-5672
A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0.
|
| 34 |
CVE-2026-40299
next-intl provides internationalization for Next.js. Applications using the `nex
|
| 34 |
CVE-2026-5689
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affec
|
| 34 |
CVE-2026-40306
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS
|
| 34 |
CVE-2026-5690
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted ele
|
| 34 |
CVE-2026-40476
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the
|
Oldest Unpatched Critical/High CVEs
| CVE | Severity | CVSS | Priority | Days Open |
|---|---|---|---|---|
| CVE-2024-3400 | CRITICAL | 10.0 | 224 | 738d |
| CVE-2019-19781 | CRITICAL | 9.8 | 223 | 2305d |
| CVE-2020-5902 | CRITICAL | 9.8 | 223 | 2118d |
| CVE-2021-35464 | CRITICAL | 9.8 | 223 | 1732d |
| CVE-2020-10189 | CRITICAL | 9.8 | 223 | 2235d |
| CVE-2012-4681 | CRITICAL | 9.8 | 223 | 4983d |
| CVE-2022-42475 | CRITICAL | 9.8 | 223 | 1204d |
| CVE-2023-3519 | CRITICAL | 9.8 | 223 | 1005d |
| CVE-2015-7450 | CRITICAL | 9.8 | 222 | 3760d |
| CVE-2023-34048 | CRITICAL | 9.8 | 222 | 907d |